Malicious PDF — malware analysis report

Static analysis result for SHA-256 e028eec93e931ff6…

MALICIOUS

PDF

34.8 KB Created: 2020-08-30 15:26:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 07e7ba40ba201c10fbb32dd5bd79f350 SHA-1: 5b8589c24c25b382cdf992f83b78cfd415e750c1 SHA-256: e028eec93e931ff654cd9b2cb8783ffff096e66b92b9aa4b5aba1cc9a7a26e3e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is disguised as a shop manual. This redirector likely leads to a malicious payload. The PDF also contains a large number of links to other PDFs hosted on Shopify, suggesting a link farm for SEO poisoning or to distribute further malicious content. The ML classifier strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=honda+hs622+shop+manual
    • https://cdn.shopify.com/s/files/1/0435/2750/4024/files/59172073913.pdf
    • https://cdn.shopify.com/s/files/1/0430/9037/8909/files/96272181440.pdf
    • https://cdn.shopify.com/s/files/1/0430/1396/3929/files/rafiq_azam_architecture_for_green_living.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/46676539889.pdf
    • https://cdn.shopify.com/s/files/1/0432/0142/9662/files/bto_four_wheel_drive.pdf
    • https://static.usrfiles.com/ugd/b8c837_5f600633f2ff4fc5b198964fd0905691.pdf
    • https://static.usrfiles.com/ugd/b8c837_dd43c14f88954335ae0f6564ca109218.pdf
    • https://cdn.shopify.com/s/files/1/0428/6241/1942/files/sujenejin.pdf
    • https://cdn.shopify.com/s/files/1/0434/1003/0748/files/kakibetegawojos.pdf
    • https://cdn.shopify.com/s/files/1/0433/1307/0238/files/tejojevitovojapakobofiw.pdf
    • https://static.usrfiles.com/ugd/3ceeb9_23b4af6c6ac04f7f90ad7442de4e2dc3.pdf
    • https://static.usrfiles.com/ugd/b85eb0_f05bd4cbf820457bb19bda1ce999106e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a21.bin
2633f62ca6cdeaa550691f183c6a39b350becee7eb6ca95b3d8ce3e98b165fdc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A21 5348 bytes
font_01_sfnt_off00005c24.bin
ff9e72df91bb783afcd0ce77df1d01425e57a4b7e85e5c2bd16b7e0da68ec0d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C24 10164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.